It just got a lot harder to evade browser fingerprinting: a bunch of boffins have worked out how to fingerprint the machine behind the browser, using only information provided by browser features.
Like so many ideas, it's obvious once someone's thought of it: activities that aren't processed in the browser are treated the same whether the page is rendered in (say) Chrome, Firefox, IE or Edge.
The group – Yinzhi Cao and Song Li of from Lehigh University in Pennsylvania, and Erik Wijmans from Washington University in St. Louis – have worked out how to access various operating system and hardware-level features that can fingerprint an individual machine, regardless of browser.
These include screen resolution with zoom; CPU virtual cores; installed fonts and writing scripts; the AudioContext call; GPU features such as line and curve rendering, anti-aliasing, shading, and transparency; and more.
The researchers reckon they can fingerprint a machine with 99.24 per cent accuracy (compared to under 91 per cent for browser fingerprinting).
Cao and friends say there's one browser that defeats the worst of their attacks: the Tor browser. That's because the Tor people have the position of being paranoid by default: it normalises many of the outputs Cao uses. The only features not given fake values by the Tor browser, the paper says, are screen width-to-height ratio, and AudioContext.